새로운 연구: 2025 글로벌 클라우드 탐지 및 대응 보고서. D&R이 부족한 부분을 확인하세요.
보고서 받기

침해를 경험하셨나요?

|
당사에 연락하기
|
+1 855 426 3983
A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Why Cybersecurity Must Serve the Business, Not Block It
Season Three
· Episode
11

Why Cybersecurity Must Serve the Business, Not Block It

In this episode, Carl Froggett, Chief Information Officer at Deep Instinct, brings a rare, full-circle perspective on how the cyber landscape, leadership, and culture have evolved from the early 2000s to today’s AI-driven world.

Transcript

Raghu N  00:11

So welcome back to the to this episode of the segment, and personally, this is a episode that is extremely close to my heart. I'm sure today's guest, when he interviewed me on the 10th floor of CGC two city group, center two in London in early 2004 didn't expect that 21 and a half years later, he was going to be on the other end of the receiving end of the interview. It gives me huge pleasure to welcome Carl Froggett, Chief Information Officer at Deep Instinct to The Segment. Carl, welcome!

Carl  00:46

No man, thank you. Thank you for the introduction.

Raghu N  00:50

And introduction hasn't finished yet. Oh, it hasn't finished. Okay, hello, first all, right, so, so Deep Instinct is the first company to apply end-to-end deep learning to cybersecurity. In this role, Carl leads global infrastructure expansion and scaling of systems security and processes to support the company's international growth and strategic partnerships before joining Deep Instinct, Carl spent over two decades at Citi, most recently serving as head of global infrastructure defense and CISO cybersecurity services. He was responsible for delivering integrated risk reduction capability. Reduction capabilities across cities, devices, and networks in more than 100 countries, and held a series of leadership roles spanning architecture, engineering, operationsand enterprise cyber services. Carl brings an extensive expertise in building high performing teams, enterprise systems, architecture and aligning cybersecurity practices with the business priorities. He holds CISSP and CISM certifications and earned a BSE honors in computer science from Loughborough University in the UK. So Carl, with all of that, what our listeners really want to know is how you became a bit of a pool hustler when you're at uni, so stop there.

Carl  02:03

Oh, you, you remember all the good ones, eh? Well, yeah, certainly for the audience, Loughborough is, I think still today, the predominant sports university in the UK and Europe. And Olympians team, GB, English rugby team, they're cricket, right? They kind of go through luck grown, they have a really good sports department. So let's just say that the intramural sports were pretty competitive. And whilst I was doing good, if you remember reviewing the squash league when we were in Victoria and I was, I think I was in Division One, I got crushed. So the one game that I was pretty good at, so I've been playing it since I was a kid, was pool and snooker. So I became the pool team captain of Rutherford, and we won the trophy two years in a row. So that's my sporting prowess in a nutshell. That's how it that's how it happened. Amazing.

Raghu N  02:59

So, so were you hanging out in dimly lit bars? Right? Just challenging anyone who's stood up to your table, taking their money?

Carl  03:07

Nah, nah. I never did that sort of thing. It was more I don't think, oh no. I have played a couple of times for money, actually, that, funnily enough, was here in Boca, Raton, Florida. But not just do it for the fun and the spirit. You know, it's still good today, and I have a pool table in my house. I was one of the things as a kid. I always wanted a pool table, and let's just say, quite a few years after that dream, I managed to get it a couple of years ago, thanks to my extremely generous and understanding why

Raghu N  03:42

Nice, nice. And that's the episode done. Thank you to all our listeners. No, that's so cool. Like, look, you've spent almost 30 years in this industry, and a large number of those in cyber, but you didn't start inside, but you kind of fell into cyber. So let's talk about, sort of the early days of your career, and what essentially made the transformation from, I think you started off like in the services team and then moved over into cyber. So talk about that.

Carl  04:11

No, I mean, if you if you want to kind of go back and my and again, college in the UK was 16 to 18. I didn't take an A level route. I took B Tech. It was called, and what would you call that? Like, what would you call that? Raghu, the B Tech? It was more, still called B Tech. B Tech, yeah, but it's not a pure it's a more vocational route, vocational route. And so that got me I've worked with a couple of very local companies, you know, doing PC support and supporting local businesses that's important. Because when I was at Loughborough, I took a gap year, I took a year out and just kind of said, Yeah, I need, I needed to do something different. And I landed at NCR for, you know, as a student, right trainee. And the reason I got. That role is because apparently, and this was my boss, Francesco Tartaglia Polcini, he said I was the only one who could not only build a PC from scratch, but name all the components and do all this. And that was due to the fact that I was doing it day in, day out, back in, in the NIO group, right? So isn't it nuts how things kind of go together, right? And I was up against, you know, much more academic students than myself. But so then that that led to, you know, having that experience at NCR, which was amazing. That just led on to other jobs at American Express Costa in construction and technically, Walker breweries kind of doing the same thing, networking, PC, server, and then I landed a job at Salomon Brothers. And funnily enough, my first job at Salomon Brothers was pulling cables under a data center floor, right? So I remember, you remember Raghu, you had to be in your suit and tie. Yeah, right. Like didn't matter what you were doing, suit and tie, pulling cables. And I'm like, I'm so glad I did my degree so I can, I can pull cables. But look, it was all about you do what needs to be done, right? And then that grew into junior network analyst, I think the title was. And as I was telling you the other day, yeah, I didn't realize at the time, but that was probably my first innovative kind of thing. Was we, we deployed this ISDN gateway from a Canadian vendor to pretty much every Salomon's employee in the UK and parts of Europe. And at the time, I had to work with the vendor, because they were Canadian us, and the signaling protocol didn't work with BT ISDN, right? So we had to troubleshoot all that and get through it and then that led to trading floor. So I did trading floor builds and designs for people here. There is a networking technology called ATM. We were doing this in the early 2000s and we won a ton of awards for ATM to every server and PC on the trading floor and B and then we started getting into MPLS and that connectivity, and that's how it kind of pivoted into cyber, because it was something that needed to be done, but it wasn't necessarily mature, right? So that's how I accidentally fell into cyber. And the rest, as they say, is history, right? I mean, it's just, it's been crazy, yeah, the evolution of cyber just been crazy from, yeah, been, been pretty much the sole person, at one point, being the technical kind of lead engineer, managing a couple of people, making sure things got done to them. As you say, Yeah, ultimately that grew up. You were part of this, right? EISs, that was what 250 people at its peak, and then big life lesson, right was when that got disbanded, because city, as it became, Salomon Brothers ultimately became part of city. They disbanded regional models and went global. So I went from a team of 250 something down to a team of six or seven. I have the original photo, and that became global infrastructure defense, which I think when I left, was approaching 300 people, right? So, yeah, crazy times, man.

Raghu N  08:29

So, no, it's crazy times. I will talk about some of that stuff as we get along, right? But let's talk about just you could have you said, right? Like early 2000s or late 90s, you were just sort of getting into cyber, and were pretty much the first person, like at Citi or Salomon brothers at the time, whose role was dedicated to cyber. So when you started, and you think back when you were thinking about cybersecurity, or security, or information security, as it was then, what was like? What were the threats? What were you worried about?

Carl  08:59

Honestly, I remember a large vendor that makes mainframes right for trying to avoid nose but they, they had a solution, an intrusion detection solution, right? And all I remember is it been massively expensive, and we, we didn't renew. We turned it off because, because, to your point, review at the time it was, it was really more around less about threats, less about hacking, less about malware, viruses, whatever right it was. It was more around constraining connectivity, right? So it was definitely more your firewall vendors, and I think that's around the time checkpoint came out with a Stateful Inspection Firewall. I remember installing checkpoint on Solaris on Solaris on Sun boxes. And it was checkpoint was just a software package kind of thing, right? So we weren't really it nowhere near as maturity is today, right? Look, I. I make a joke, but it's totally true. We didn't really have a budget, right? We were seen as a necessary evil, because auditors and regulators were starting to kind of ask and really security at that time was a compliance function, right? So if you think of the other elements of security, of identity and data loss prevention. I don't think it really existed back then. So yeah, it was more of a it wasn't seen as a business enabler at all, right? You were seen as a speed bump. And so yeah, if I look back on that, what we had to do was make sure that the business understood why we were doing what we were doing, and if we didn't do what we needed to do, what it would mean for them. Yeah, right. You can't trade. You might lose your banking like but without the scare tactics, right? I don't, I don't do scare tactics, just pure kind of, hey, if we don't do this, this, this, this will happen, right? An absolute, you know, you'll fail an audit, you'll fail a regulatory whatever, right? This could happen. And then again, that's, uh, this is the high chance of this happening, or there's a very low chance. But, you know, and so it forced you to do that because you were not in a you were you're in a weak position. It didn't have the gravitas it does today. You know, like it's hilarious to me today, you can open the news every day. Cyber security is in multiple news stories in mainstream media. Now you were reading the padlock monthly magazine, right for your security, you know what I mean? Like, it was not, it was just not accepted. It was and then, and then you had things like Cobre, Nimda, Stuxnet, and I can't remember the years, right? But yeah, the big Sony PlayStation, the hack, and the Sony Movie hack, you know? So, so all those kind of big incidents you had, the Citibank actually, at the Russia ATM, right. So those big incidents started to change the value and the optics of cyber, to be honest, to be, hopefully, where it is today.

Raghu N  12:16

Because I think what you said, right, actually, in that something that was really interesting was really about even, because we talked so much today about how, how security leaders need to be able to frame the value of what they're delivering in the context of business outcomes, right? But what's, what's and that that keeps being pressed home as kind of a development area. But what you encapsulated was actually even going way back when, right to when, sort of this journey all started. You were doing that then, because if you didn't given that, you were kind of hidden away as part of a compliance function like the CISO role didn't even exist at that time. You're kind of, you were forced to communicate the value of what you're doing in business terms, for example, you won't be able to trade right your data won't come in in a timely fashion, etc., whatever it may be, even back then. So I kind of want to like, where did we like as an industry? Where did we lose that ability to communicate value effectively.

Carl  13:23

So like in my in my current role, I get to see a lot of different customers and , you know, beyond, beyond that award winning podcast, like this one, congratulations. Great. Well done. Thank you. So I kind of get to see and so one thing I think, and you do too in your role, right? So I'd love your perspective, but I still see companies today, blood enterprise, all the way down to small that don't invest in cyber number one, right? So they're still, for whatever reason, don't appear to be too worried. But I think there's a thing here of, if I'm thinking of what I just talked about, I had to win. I had to make sure that they really understood the value. Now, the key thing when you're working for an enterprise, you are ultimately working for the business. You are supporting the business strategy. And one, one thing that you know, one kind of thing that always stuck with me was banks take risks every day, right? They give mortgages to people. There's a risk, right? They're doing trades. They do it, right? Banks take risks every day. It's that, that, that that stuck with me all the time. So I think we don't have a sense of entitlement, right? So I think a sense of entitlement has maybe crept into the narrative of, yeah, I'm the CISO, or like, I'm Supreme, but you might be right, no, right? You've still got to earn the business, right? You still. Got to you've still got to earn the stakeholders, build the trust right. And a lot of that is nothing to do with cyber. It's about being part of the business team, understanding their decisions, their business strategy, their go to market, what their future is, right? That all that kind of thing nothing to do with cyber, and your job is to enable it, right? And if you want to go and play with the innovative thing over here or whatever, right, that that's not aligned to your business, then you know you either need to be focusing on the things that are innovative, that will support your business, or, to be honest, you need to go and work somewhere else because you can't, you can't look at things ultimately, that are not supporting your CEO, your board.  

Raghu N  15:53

Bottom line, yeah, no, I agree. And I think the one thing that I'd add to that right, it ties back to what you said, is that the businesses, business leaders, are taking risks all the time, right? So there's manage risk Exactly So, right? You need so if you have identified as a security leader, if you've identified that there is a significant cyber risk, you need to be able to connect that in a way to say this is why this risk matters in the context of your overall organizational risk that you are, that you are willing like, because otherwise it's, it's kind of like a standalone and I think this also comes down to when, when we're doing things like tabletop exercises, threat modeling exercises, etc. There's no point just starting from the technology you kind of need to start from. Like, what makes you money, right? What are the processes that help you make money? And then, like, what are the what are the systems? What are the technologies that line up to that, and then flow from there? And we often forget that top bit.

Carl  16:55

And yeah, the number of times in light, and you know, where we've had a technology product, looking for a solution or looking for a problem, right? And it's, like, cool tech, cool. Like, great, I'm not, I'm not dealing with some of it's not cool, right? But, but you know, what are you actually trying to solve? And, and the number of times that, yeah, I've had that conversation is, is kind of scary, right? So, and then, yeah, I work for a gentleman called lane, best as you know, so you'll talk about and these are things I've learned from him over the last three years or so. Is product market fit, right? So, yeah, what are we actually trying to solve? Right? From a development product technical perspective, but product market fit is all about. What are we actually trying to solve for the customers and then, and then every customer is a little bit different. Every vertical is a little bit different. So, but ultimately, Raghu, yeah, I'm sure you've been doing it where you are. It's the same as a stakeholder within a big company like city, right? I so you got to, you got to think of city. And I think you and I certainly myself. It took me to do what I'm doing now, to kind of have a bit of a reflective moment, man, that was a hard, complicated place. I want to kind of clarify that, because it is, it's a banking giant, and it does everything from consumer, consumer credit cards, right, which is massive volume, low margin right, to, I don't know, algorithmic trading and low latency trading and whatever, which is massive volume and right. And now the and private banking, private wealth and CTS, as it's now called, right? Like so many different product now, the thing with each of those, and there's more right, is they all have different priorities. So consume if I went with the most expensive solution on the planet, right? That could be mitigating risk down a naught point, naught, naught, 1% right? But cost was an issue to them because the margins were so tight consumer space, but you go to Leo or somebody in low latency trading and ICG, cost wasn't an issue, right? They, they were talking about much. So that's what I mean about the complexity and really looking back on that now they're just different verticals. Yeah, you and I call them verticals now, right? Like utility banking and all the other manufacturing, right? We just had a company that had many different verticals, and we, we had to, and that was the challenge, because global infrastructure defense, right? So every business in city had to use the things that we and my team produced, right, without except, you know, there was that was, that was always a fun conversation, right? But that was a smart CISO decision, that and it was smart to be supported by the CEO and the board because there's any cybersecurity person, they already have fragmentation and multiple different products. There's weak areas across the point, right? So at least doing it globally, you could have a not only kind of keep your costs because you're not replicating vendor solutions everywhere for the same problem, right? You get operational efficiencies and all that sort of thing. But you can ensure it's configured correctly. You can ensure right, so there's no fragmentation. You know exactly where you are with what I call just basic hygiene of patching and versions and all that kind of right, so, and now that was something that you know, like you say, when was that early? 2000s, I want to say 2000.

Raghu N  20:51

like mid, mid 2000s probably 2004 or five something.

Carl  20:56

Time, right? That we made that big, big switch, right? And even today. I mean, I go to customers and prospects all the time, and the one thing I'm always observing is their organizational structure and culture, right? Partly because I'm trying to work out who the stakeholders are, yeah, you know? So, yeah, part of my job is I'm not a salesperson, right? But part of my job is to help customers get the most out of our product based on what problems they have. Yeah, right? Yeah. To do that, I need to understand like, you know, and yeah, some of them are more mature than others, right?

Raghu N  21:37

Yep, no, I'll leave that that last point, and we'll come back to sort of what you're up to a Deep Instinct in a bit. But that, I think, is just the key, is frame it in. You've got to start off with what is the problem that the customer is trying to solve, and then work back from there to how your technology can help them, versus, hey, I have this cool technology, right? Let me tell you about it, and then you'll figure out whether it's a problem, whether you've got a problem, because either the customer realizes I don't have a problem, or because they're trying to, they're trying to retrofit it becomes shelfware.

Carl  22:08

And look, I've done my I don't know if my sales people are going to listen to this, but I've upset them a few because I'm like, Hey, we're not a good fit for that, right? And this was the end. And again, this is about stakeholders. And so when you're in a company, like I said, there's key stakeholders, right? So if I think of some of the things that we did, you know, there was one time where I stumbled across Palo Alto Networks, right? And we can talk about that in a minute, but because it didn't come through any sort of path, it literally was me going to a conference in one of, one of those one hour lunches in a in one of the London hotels with the with the rubbish projector screen and all that, right? Angela alto, this was them when they were a startup, right? They were, so they were on version one, right? And near Zook, I remember. And the reason I went because I'm like, New York, I know the own net screen and juniper. I want to go and listen to what this guy has to say. And I left that, you know, there's all story behind that, but I left that. And I'm like, we this. This is game changing, right? You know, I passed you remember Howard and Eric? I'm like, I need you to test this now, right? Like, I yeah. I'm like, stop what you're doing. You're testing this now. And I still use this phrase today, this when Howard kind of went Carl. Carl has been PowerPoint engineered, right, right? And I still use that phrase today because I think it's awesome. Thank you, Howard, right? And make sure we distance to this No. And they, yeah. I mean, I don't know if you'll remember, it was a long time ago, but he and Eric, like, went away and kicked the tires, I think, for two weeks, unless I told him to stop what they were doing. I was so excited about what they said they could do, right? And they, they then asked for another two weeks, because they didn't believe the results when compared to what we had, right? And so I'm like, fine. Now here's the thing, right? So now I've got this amazing thing that we'd proven, proven out, but, but, man, nobody believed it. Yeah, right. And I, I'm not kidding. And I'm like, I wanted to, and there's a cost element and whatever. But I'm like, we need to put this on all the Internet facing stuff today. Big, big money, right? But I couldn't get buy in. I couldn't get for Charles at the time, it was a bit too, too risky, right? Like, you know, we got to prove it out. We got to go slow and I it was just one of those times I'm like, we, we gotta, we gotta move, right? This, this stuff is game trading, so I'm gonna go back to what I said. So now I had a freaking crazy good technology that's looking for, that's looking for a problem, right? And I thought the problem was at the time. Am I thought the problem was, I've got these stateful inspection firewalls. We can't do line speed. We can't do SSL inspection, right? Yeah, whatever. Like, you know that that was my that was a problem, right? But I couldn't get anybody to buy in because, because they wanted to prove it out and go slow. So it just so happened that we were renewing our IDs. So IDS is out of bound. It's out of balance, right? I remember, if it all goes wrong, there's no business impact, right? It's all on call because we don't have IDs. And so this goes back to what we were just talking about. So when I went to Ali Jack and Geary, you know, right? And I kind of showed him the test results and then so this is, I'm like, you should test it. See, his team kicks the time, and they're like, Oh, these are pretty good. So they were then supportive of putting, I think, one or two or three or four, maybe into the IDs, because it's out of band. If it all goes wrong, there's no business impact, right, other than comp, but that's all on me, compliance and whatever, right? And I remember we put a handful in and add to strong arm Palo Alto, because nobody wanted to buy right? So strong arm them on the price and that, that was it. That was yeah, those guys. And here's the thing, so, so we were testing it from how good is it, right? Speed, does it block threats, right and all that sort of, you know what their biggest thing was, because it was much more accurate than the IDS we had. They saw the operational efficiency of having much lower volume of false positives. And I Yeah, and again, this is just, you know, as you go through things, that's an experience, right? That was it. And then a man, like, I just sat back because Ali was like, as the head of security operations for city, he's like, I want it. I want this everywhere, right? And so, so again, that was something of,

Raghu N  26:59

yeah, yeah, it did it for you. Yeah.

Carl  27:03

Just had built, yeah, obviously sock and we, you know, I love the guy, right? But, but I had to work with him and his team every day. So we had that trust. We had that whatever you guys. So when I kind of went and I told him, I'm like, Hey, I just found this, right? But it looked really good. He supported, you know, he's like, I'm going to take, I'm going to take a bit of time to validate what you're saying. Right now, if I didn't have that trust, and we didn't have that relationship, it would have been much harder, because the natural thing is not invented here, syndrome or, or, I've got other priorities, right? So, so you had to have that. I have another one with Deep Instinct. And that was with Leo, clearly, Chev in low latency trading, right? And again, I kind of went and I had all these things of whatever as to why Deep Instinct was great, and all this Leo's thing, and Leo, so Leo was responsible for the technology in low latency trading, including the apps. Yeah, what His thing was, it was the same, is the such a similar thing? His thing was, I love it. I'll support it, not because of all the wonderful things that Deep Instinct can do when it comes to zero-day threats and all that kind of stuff. His thing was, it's fast, but it's reliably fast. And what he meant by that is, is with sandboxes and the other tech we had, the fluctuate when you get when you see a threat, how long it takes for me to inform the app. So, and he showed me, is like, I can get a result from a sandbox in 20 seconds or 22 minutes, I think was the worst one, because it Carl. It's too unreliable. My application teams don't, you know, they they've got SLAs, or they have the customer experience of using our website, right? It's like, it's too variable to be able to build a good app, yeah. And the thing with deep learning is it's extremely reliable at returning a verdict in a very narrow window, right? That was it. He didn't care about all the other kind of security stuff. That was his pain point. And again, right, as soon as he was hooked, right? Yeah, I'm like, you know, he kind of plowed the road right? It was, it was, it just took off on its own, right. So it's Intrepid. Both of those things came from as already having an established relationship of when we can talk about how you how you do that, but, but then it came from me listening, and, more importantly, me not being the Yeah. Like, why you? You need to do it right. Like, which I see all the time. No, I don't right. Like, yeah, no, I don't. I've got all this other stuff to do. You can't go in with that.

Raghu N  30:00

Yeah, so right? You mentioned Palo, you mentioned Deep Instinct. So let me just rattle off, right? The technologies, and I'm sure this is not a complete list, the technologies that you or the teams that you led were responsible for bringing in Citi and you, you were part of it, yeah, of course, of course, a few, right? The but, and I think again, right as I rattle off this list, what's important for like the listeners to realize is that in pretty much every single one of these, if we think about like a Gartner Hype Cycle, where our adoption, our city's adoption, was literally right on that sort of that's that, that super early adopter, right? It's not that we waited for these things to mature. So here's the list, right? And I'm sure it's incomplete. Checkpoint, BlueCoat, Juniper, Palo Alto Networks, ArcSight, NetWitness, Illusive, Securonix, Splunk, DTEX, Illumio, CrowdStrike, Cribl, Forescout, Deep Instinct, and I'm sure there's a whole ton more, right? Every like, it's like a it's like a hit parade of incredible technologies that have that have made a difference. So my, my starting question to you in this part of it is that, how were you able to consistently, and in an organization the size and complexity of Citi, be able to bring in new technology after new technology in generally a successful manner? Just talk about, let's, let's start there, and then we'll dig in, right?

Carl  31:40

I think that's a deep question. How long is this podcast going to be, right? I mean, long for look. So I think, first of all, you know, late in the later stages, you know, it became a lot more formalized what innovation was, and we had an innovation team, and we had all this kind of stuff, right? So a lot of these came in through different, different routes, right? Different routes? Oh, we're on the British Post channel. I can say routes, routes and routes. I don't know what route is. So it's a, it's an interesting question. And again, I have to come back to, yeah. First of all, I just, I love what I do, right? So there's an innate like, I'm, you can ask my wife, right? I'm always kind of reading, and, you know, I just love what I do. So that's number one. Number two is, yeah, there's an element here of, you know when, when you see. So some of these came from a business problem, right? So some of these were driven by, you know, the business, so you think of, and again, the audience have got to understand, right? Like, you know, I'm a little bit older than most people, right? I started, yeah, that, that example I gave at the start, people didn't have internet at their houses. Pagers were a thing. Blackberry, like, I remember when BlackBerry came, right? But we had pagers with little keyboard thing, right? So it's really changed a lot, but it, but it, equally, it hasn't. There's, there's, there's things that you're able to see. The big thing for me is listening. It's what you know. So you work for the CISO. We had an amazing CISO in Charles Pomona, right? And, yeah, and then he drove a culture of his leadership, right? Dan Tegard, John Miller, yeah, you know everybody else. And then, yeah, it's a big, complicated organization. Then you add the John D'Onofrios, who, kind of, overall, ran it. You had the Greg Lavenders, who just retired from Intel and recently got married. So congratulations, Greg, right. So we worked with, like, amazing leaders, but at the time, Raghu, yeah, I'm like, these are good blokes. You know what? I mean, like, you know, it was just, it was, it was the joy to come to work. So, so I think the first thing is, is there was a culture, right? And Charles's culture was, I've got your back, I've got your back. Yeah, right. So, quite a few of these, for example, he would, he would say, as we were looking at things, and again, I remember this is like, let me worry about the money. You tell me what the right thing to do is right. Don't you worry about, like, so, so he's kind of, you know, and it's good, right? But bringing these in, it's all about, again, some of them are very much we have the problem, let's go and find the right thing to do. And I'm just thinking through some of those. Yeah, they arguably were the slower ones. Why? Because you kind of, oh, we know what the problem is. We've scoped it right. And then, you know, we go through this when we when I did the SASE stuff, right, which ultimately went to Zscaler, right? But that was, well, we can talk that was a interesting one. But, you know, you do the market analysis, right? You're like, oh, there's no in the SASE. There was over 30 vendors that we considered. So to be blunt, that took a year to whittle it down, right? So they move slow. So then when you find something like, Well, I just shared the Palo Alto one, which is just a lightning bolt out of the left field, they actually move quicker. But there, the challenge there is you, is that that whole alignment and get getting it on board. Yeah, so, but look, the commonality of this is, ultimately, it's got to add value to your business, right? And you already need your stakeholder, you already need your stakeholder network. And when you're looking at, and I just use the example of Idash, right? You know, I didn't think of the SOC at the time, right? Because I ran firewall and firewall lot, right? So I was a bit, you know, kind of tunnel vision on, on, on what my problem was, which was, couldn't do wire speed, couldn't do full SSL inspection of everything, yeah, and all this kind of stuff, right? Yeah. I didn't think of the SOC, right? Right? And ultimately, like they it became like, I just let Ali go and clear the way, and we managed to get them what we done. So you need to be able to pivot. You need to be able to take a step back. You need to listen, right? Yeah, sometimes, and you know, you know, you think you have something good, but the if you listen to what people truly listen, not what you think you want to hear, right? It'll actually help you understand and maybe change your pitch and be successful, right? But I think the other big thing with certainly, what Charles and John and Dan and everybody else was, was you, if you were transparent, it was okay to fail, and that's huge. Again, if you don't want to fail, you're not, you're not taking any risk, right? And cyber, to me, has always been a if you're if you're too slow, you're going to get breached, because that's how bad actor you know the even the script kid is back in the day, but especially now with generative AI, the low hanging fruit is, is the old stuff. So you can't be too slow. In my opinion. I love to see the comments on this one, right? But, but equally, there is a risk of being bleeding edge, but you're not going to be bleeding edge everywhere, because you don't have resources in the time. So you need to choose where you want to be bleeding edge, and that might be supporting something that your business wants to do that they don't currently do. I remember when we were doing digital banking, right, and mobile home, mobile security, and, you know, the evolution of biometrics and right? We had nothing in the toolbox for that, right? So that was a great example of absolutely, have to support the business strategy. We have no choice, right? But it's a hard one to say, but it's all those characteristics, but a lot of it comes down to you've got to have the trust of your business and that that comes before you go to them with a solution, an idea or something that you need buy in with, right? And then you need to have that culture of this isn't going to work all the time, right? You got to have the culture of failure, but you got to have the transparency. So the number of times I was nervous being in front of Charles or Mike Whittaker or right, knowing that, that I had that, yeah, that we haven't been successful in whatever it is, but it was all as long as you were prepared. And it's like, here's why, right? I always say all the time, but 90% of the time it was understood. It's like, well, what's your new plan? Yeah, and so again, you go into those things prepared. I knew what they were going to ask, right? So you don't kind of all get back to you on the new, no, you needed to know what you were going to do. And every time you learn from it, everything else that you get, you get better at it. So those things become a little bit less and less right?

Raghu N  39:23

Absolutely, those were, those were great experiences, fun times. Fun times. Let me throw it back at you. You were part of this, right?

Carl  39:29

Yeah, like, so you've got a different perspective, because my job was to, and I don't know how good a job I did of this mate, looking at your gray beard there, maybe not too much, right? But, yeah, my job, I always felt, was to filter out the noise and the distractions so that you all could get on and solve the problems. And my job was to, you know, manage upwards and. Sideways to business stakeholders, upwards to CISO and the business execs through and then the regulators and the auditors and all that kind of stuff, right? Yeah, that was my debt. But my other day-to-day job was looking after you as individuals in the team.  

Raghu N  40:19

Yeah, absolutely. And no, I think that the culture of that time, I'm really glad that you mentioned some like, just really key individuals who enabled that culture, right? Greg, who, as you said, has just retired as CTO of Intel, former CTO of VMware, but before he did all of that, was our head of head of engineering, and who sort of pretty much came in and established that innovation and entrepreneurship culture that you said right as, is that like, it's okay to we don't, we're not expecting it to be right and successful every time. But continue to push the boundary, push, push the limits of what we can do. And then, of course, right then the then to like, to support that. Like Dan Tigar, who is sort of Head of Security Engineering, Charles Bloor as the CISO. John Miller is Head of Security Operations union role as head of infrastructure defense engineering. Essentially this, like this great sort of network, and I know you speak about this, right? None of these, they didn't all share the same reporting line, right? So it would very much right that it could easily have been, oh, well, hey, look, that's none of your business. Or, like, I have my own priorities. You've got your own priorities just to stay in our swim lanes. But this was very much always, always aligned, right? And it's like, let's agree that these are the right problems to solve. These are right things to do, and we're going to work on it together, or we're not going to do it at all. Not so no halfway houses. And I think definitely for our for our perspective, it then felt that, look, if there is Excite, something relevant and exciting that we think we should be looking at we can bring it right, and as long as we can communicate that effectively right, we get a chance to show the value right, as opposed to just being told out that's not a priority. I think that was a that was a great, I mean, exciting time to be there, but also such like feeling, sort of in terms of the growth that I think individually and collectively, we all had was incredible because of that, essentially, that culture and that ecosystem that had been that had been created.

Carl  42:35

I did a presentation at AWS for their tech summit a couple of weeks ago, and I kind of went through the history of cyber because the room was full of essays and Amazon people, not necessarily cyber people. And that the real purpose of me doing that was to show that the threat landscape shifts, and there comes a point where you as a as in my, certainly my old role, where you you, you need to reinvest, right? So what do I mean by that is, and this is a hard thing, but you need to accept it as a leader, right? You might build a great rapport with a vendor. They might have your back, right? You know, everybody there, they're really good. They're doing a good price, you know, whatever. But the threat landscape shifts, and they haven't kept up. And, and you as the lead, you need to kind of go and, you know, you need to kind of go and say, Hey, I'm sorry, but we're replacing, you know, your stuff, because here's the results, right? Your stuff's not good enough anymore, right? And so I think, you know, certainly Charles as the CISO for for a long time, he got that right. I don't think he ever articulated it that way to me. But you know, this, again, is just me, been, been reflective, and Greg bought that into the rest of technology, right? So I think we, I think Charles was, we were doing it out of necessity, right, to protect the bank and that. So, like, I say, Yeah, we are you IDs. That was years and years ago, but total wholesale replacement in under a year, vendor that we'd had for over 10 years. Yeah, right. And, and I remember saying, I'm not going to name them, but I remember sitting down with the founder and the CEO, very successful company at the time, who ultimately got acquired. I remember sitting with him and talking about the why, why, why I had done whatever and and, you know what? He graciously said, I totally missed the boat. I didn't I remember seeing where he goes. I didn't understand the the value of next generation five. Firewalls. I didn't he, he didn't understand, yeah, because, and again, he's like firewall, nothing to do with me, right? And he missed it. And that sticks with me, because that, again, is, yeah, I let you down. You know what? I mean, they'd like, it's, it's a phone. He didn't have to say that to me. It was in a private setting, obviously, but, but that that sticks with me, and so, so I think Greg bought that, and there was a great quote, I think it was from the IKEA CEO. So IKEA have this, and it's hilarious. You can Google it. It's kind of an interesting so IKEA have this. I think they call it the banana card. Every employee gets a banana guy, and it's basically signed by the CEO, and it's basically a it's okay to fail. Here's your here's your get out of jail, free card, right? You can make mistakes, right? But he's, it's, that's kind of funny, and that's a fun thing, but he had a quote around it was, Why? Why? Why? Why that? And it's all part of culture and whatever. But the thing that stuck with me, and not an exact quote, but he kind of said it's the mediocre people who are negative, who spend time trying to prove that they weren't wrong. Yeah, yeah, absolutely that. That's what Greg changed, right? We Yeah. And again, we're looking with like there's a trip down memory lane this mate, right? We're looking back. And that is so true, right? Yeah. And yeah. So you know, being able to you and I have been on many incident calls over the years where it's our it's our fault, not that somebody or we have many examples of where somebody fat fingered, but it could be a failure. The technology didn't work, the backup didn't work, yeah, whatever, right? But ultimately, it's our service, right? And that was the other thing. Was, at some point in this journey, I shifted my mindset as a leader, to providing firewalls and whatever, to providing services, right? Yeah, and when you make the shift to I provide services to the business, your mindset shift, I'm not, hate to say, and you know, I don't want to open the door to any Mickey taking from you, but yeah, it was a real hard journey for me personally, being a very technical person back in the day, to then being a leader of a small team to a leader of a big team, and honestly, in a way, getting further away from that that was a really hard journey for me. I don't know if I've ever shared that with you before.

Raghu N  47:46

No, no, I could. I know that, right, and the reason I know that is because nothing would get you excited as just sort of getting in early, jumping on the Trouble Ticket queue, even though at this point you were essentially running this massive engineering org and granting or denying people their requests for accessing some website that the web filter would be blocking, right? And that would be like, yeah, hey, hey, everyone. I closed, I closed 15 tickets this morning before you guys all got in, and I ensured that our branch out in Barcelona could all access whatever, right, like the Spanish Grand Prix feed, all right? Something inane like that, right?

Carl  48:38

I know I remember getting a music streaming service, right? And it was affecting the business revenue, right? It was affecting the body that was in the ticket. So of course, I reply back and go, Oh, please, please send me the I can make an informed decision, right? Giveaway. Never heard anything again, right? So, yeah, you know what more did that felt I was doing a little bit maybe, but also in those things, because they can get contentious when you say no to a business, right? If it comes, if it can, kind of came from me, and it kind of, again, it takes some of the you don't need that very

Raghu N  49:18

interesting business requests that we've had to deal with over time. So I know we've, we've been, we've been chatting for a while, right? But before we, before we wrap, like a few things, Deep Instinct, who you're at now. So you've kind of left your time at Citi and joined the promised land of vendors, right? And you're a Deep Instinct. And of course, like, AI is everywhere now, I mean, like, it's sort of, I don't want to trivialize it, but talk about, like, Deep Instincts, approach to solving the endpoint problem.

Carl  49:56

Well, I think, yeah, when I joined actually Deep Instinct. Came across Deep Instinct by working at Citi, and ultimately, as I kind of mentioned earlier, bringing them on board. So yeah, what I would say is, you know, the end point? Yes, we have a solution for the endpoint, but really over, if you look at our product portfolio over the last kind of two or three years, which I would hope I've had a little bit of an influence in. It's really about taking our unique core, different differentiation, which is deep learning, which is the most advanced AI right available. And again, it's one of those paradigm shifts. So you and I and Dawn and others. Yeah, we deployed machine learning kind of technology 15 years ago, right? And certainly another in in a lot of use cases, it's had its time. Yeah, we, we do. I've done many of these live demos where we use generative AI. Now here's the thing. So it was coined dark AI. That's the dark web, right? And these are just LLMs that have had their guard rails removed. So you can tell it to build ransomware, and it'll happily do it all day long, right? So what you have now, and it's such an interesting time you now have with the generative AI tools, people like you and I, we can build what we used to call nation state sophisticated threats. Yeah, in seconds, yeah, and we do a live demo. Maybe mate, we can include the link, because we have a recording of it, but we do a live demo in front of every prospect, right? And we do the live demo, we use an AI that's actually on the public Internet, not even on the dark web, that you can subscribe to, I think, for 50 bucks a month, right? And we demo this in live, in real time. And obviously we pray to the demonstration Gods every, time we're doing a live demo and but yeah, and we show how easy it is, but more importantly, we show through the results from virus total, how how it blasts through everything. So the threat landscape, I mentioned these kind of eras, right? One of the reasons I moved to di was I felt it was tight, right? There was a massive change to the threat landscape coming. And again, one of those things of being at Citi and testing it, and testing it, seeing the results, and then deploying it, yeah, and just seeing it in action. So I wanted to join and be part of something that's part of the next era, right? So we built our core product portfolio based off deep learning, but we cover, you know, cloud. Our biggest growth is, is honestly not endpoint. We have a good endpoint agent and all that. But, you know, some verticals actually, endpoint is a big play, but our biggest kind of thing is really right now, is Zero Trust data in motion storage. We just, oh, yeah, we just launched a native Amazon product. We've won awards from, you know, we're in the Amazon ISP program. We accepted award from the New York Stock Exchange the other month, right? So it's taking that deep learning core tech and solving problems, right? And obviously we're guided a lot by by our big financial, global financial customers and whatever, because they're generally, yeah, ahead of the curve. So yeah, that's what, that's what we've done. And then our amazing team in Israel. So one thing we had with generative AI and the threat landscape, right? Everything that you and I have known is no longer relevant. So and again, as I was putting this kind of thing together for AWS, what do I mean by that? So if I go all the way back to the start, we had hashes, right? And then we had signatures, and then, and then the bad actors at unknown kind of tweak one one character, and the signature wouldn't work. So then we had heuristics. Now heuristics were awful, false positives and whatever, right? And then, and there's, there's a whole bunch of other technologies in here as well, CDR, browser isolation, right? I'm kind of right. There's a whole but, yeah, each era, you can kind of see the this is no longer good enough, right? We go through now, why I'm saying that this is totally, fundamentally a new era is because, yeah, using the dark AI generative. LLMs, you've got the kill chain, right? So we live demo creating nation state sophisticated malware in seconds and blowing through everything that people have today, right? And that's on a publicly available LLM yeah. Right? So the bad actors now and Microsoft have confirmed that they're seeing AI LLM generative, AI scraping LinkedIn for reconnaissance, right? Google and others have talked about vulnerability and exploit, kind of zero-day exploit, right? So that's delivery we can demo all day long, malware, ransomware, and then, obviously you've got the sophisticated fishing, the deep fake video, the deep fake audio. What was that thing? I think it was last year, a fake Zoom. Everybody on a Zoom was fake. And it was a, it was in Singapore. It was a 30, 28 million, $30 million fraud. The poor employee joined the Zoom and thought he was talking to the CFO, and it was all fake, right? So this is what I mean about we're in a new era, because everything you and I have done and the listeners to this have done historically relied on the fact that we knew something, we saw the bad thing, and then we created a signature, right? We yeah, we saw some behavior, and the heuristics or machine learning kicked in right now, machine learning, and again, machine learning has a place in some use cases. I don't want to kind of say it's totally dead some use cases. But when the when the everything is unique and zero day, the machine learning you train in models all the time. Deep learning, we only release our model maybe once or twice a year. It's just fundamentally different. And this is the I remember when I first heard about Deep Instinct and deep learning, I didn't believe it. I'm like, That's not but you can't do that. And that was based on my experience, right? Not what's reality. So we're entering this new era of, you know, you're a zero player, right? There's no such thing as trust. You can't believe what you see. You can't believe what you read. But from a threat, you know, malware, ransomware, threat perspective, everything is unique and everything is nation state, sophisticated, because that's what the tool enables the bad actors to do. Right now, here's then I read this. I can't take credit for this, but because it's so easy to use generative AI to do this stuff, you're going to see more bad actors, not less, right? You're going to see more people in break because Jensen at Nvidia, right? We're moving from instruction based computing to intent based compute. You don't need to be an expert in ransomware and phishing and whatever. There are 10s of 1000s of LLMs today that are working on each part of the kill chain. And you know for sure, the bad actors are going to have an an AI that's orchestrating those LLMs, right? So we're not there yet, and I'm not a scaremonger, but we're going to get there at some point, because just like enterprises, I saw HSBC city and others tout some amazing advances with how they're leveraging AI and agentic AI. HSBC, hats off to them, because they're doing quantum as well. That was that was interesting in trading, not not just in cryptography and stuff. Yeah, we're in a new era, mate. We're just in the new era, and the things that you and I used to rely on, like on a URL filtering and, all right, it's it might have a place, but it's a lot less effective than what it used

Raghu N  58:31

to be, absolutely. Well, you know what? I think that just that summary at the end about the present and future of what cyberattacks and bad actors are going to what they're going to be doing, I think that's a great place for us to sort of end and like something to just spark the idea. So, Carl, this has been like an episode that I've had sort of three years in the making, so I'm glad we're able to finally record it. Mate, it's always a pleasure to chat to you, and particularly to have you on the segment and to talk about sort of your 30 years in cyber in this way. So cheers. Thanks for the time.

Carl  59:10

No, thank you. It's always a pleasure. And for the audience here one of the best, most genuine people you'll ever meet. So no thanks for having me on, man,

Raghu N  59:18

mind you'll edit mind you'll edit that out.

Carl  59:21

We'll maybe do a we'll maybe do a follow up version to depending what's in the comments.

Raghu N  59:25

Yeah, sounds good. Sounds good. I know there's a big fan base that are going to be listening to this, that we're going to send this out to. Thanks for tuning in to this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter at Illumio, and if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.

Back to top
Read more